@thornmaker: Sorry, yes, I was focused more on the fact that the <script> tag isn't rendered as HTML... but you're right, if the three slashes weren't added, that would close off the script and you could insert HTML.
However, aren't those slashes enough? Since the forward slash is escaped, it still doesn't seem like an XSS issue...
Forum: XSS Info

It's been a while since I looked at this sort of JSON hijacking, but I know you can't override the Object constructor like you can the Array constructor, so that method of attack would not work.
I recall there still being some possible issues with this format, though, which is why (for instance) Facebook includes a bit of dummy code at the start of any JSON responses.
Forum: XSS Info

Keep in mind that the part of the source code you're looking at is already inside of a bunch of JavaScript - in fact, it's part of a string inside of a JSON assignment. The slashes before the quote marks prevent them from terminating the string and allowing injection of new scripts. Consequently, this wouldn't qualify as an XSS hole, even though the appearances of <> unencoded may make it lo
Forum: XSS Info

Hey all, I've often visited the XSS Cheat Sheet, RSnake's blog, and these forums (particularly about non-alnum JS, which I discovered during last year's OWASP Sweden contest), but I'd never actually joined until last week. Figured I should make a formal introduction.
I'm Joey Tyson, a.k.a theharmonyguy, and got started with security through a hobby of finding holes in Facebook apps. During grad
Forum: Intro

Well, I created an initial, non-optimized possible starting point:
// 157
location.hash='javascript:alert(1)';
ð=[_='',Ú=!_+_,$=!!_+_,æ=!_/!!_+_,þ={}+_,µ=Ú[+_],ø=þ[++_],Ñ=æ[_],Á=$[_++],Ç=þ[++_+(--_)]][Ç+ø+Ñ+Ç+Á+µ],(Å=ð()[+[]])[ª=$[_]+ø+Ç+Á+µ+æ[++_]+ø+Ñ]=/[^#]+$/(Å[ª])
However, this one is only Firefox and Chrome (probably Safari) so far, since apparently IE do
Forum: Obfuscation

After learning more about regex and seeing .mario's use of it, I got down to 106:
location.hash='javascript:alert(1)';
(æ=([µ,ð,,,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])())[_=ª+ø+Ç+Á+µ+Å+ø+Ñ]=/#(.*)/(æ[_])[+ƒ]
At first this was 107, and after reading LeverOne's mention of Gareth's trick, I could only get to 104... and then I realized I had once again lef
Forum: Obfuscation

I was playing around with some of the tricks on this list and came across two issues...
First, some of the ones under "all browsers" use __proto__ and __parent__. But wouldn't those exclude IE (and Opera)? Also, __proto__.__parent__ is undefined in Chrome.
Second, we should perhaps distinguish between getting a window object and getting the window object of the current document. Fo
Forum: Obfuscation

OK LeverOne, I think I've gotten 117:
http:// victim.com/#*/alert(1)//javascript:/*xx
_=([µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])()[ª+ø+Ç+Á+µ+Å+ø+Ñ],_=(_+Á)[$+ª+Å+Ç+É](++ƒ*-ƒ<<ƒ)+_
btw, when I try this style in Firefox, the redirect happens but the new script doesn't actually execute; not sure if it's just a setting of mine or wh
Forum: Obfuscation

Not the first time I've forgotten about a leftover letter. :)
You know, we could change it to be cross-browser - that would not only remove btoa but (x=[]['sort'])() as well. Though these exercises may be more fun for a newbie like me. :)
Forum: Obfuscation

LeverOne Wrote:
-------------------------------------------------------
> First, think about that number (ƒ*ƒ*ƒ), and you
> get 120 - is the limit.
That number is 2*2*2=8... not following you.
Totally forgot about bitwise operators. Very slick.
LeverOne Wrote:
-------------------------------------------------------
> Secondly, "eval" - this is the wrong directio
Forum: Obfuscation

OK, I'm open to hints - I must be missing some trick because I just can't seem to get under 144:
(æ=[ƒ='',[µ,ð,Ú,É,,Ñ]=[!ƒ++]+ƒ[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}],_=Ñ+Á+(þ=ƒ[Ç+ø+Ñ+$+µ+ð+Ú+Ç+µ+ø+ð]+Á)[ƒ+[ƒ]]+É][$+ø+ð+µ])()[É+þ[++ƒ+[++ƒ*ƒ]]+Á+ª](æ()[_])
I've tried to get rid of the opening ƒ='', find a shorter way to get "c" or "v", but it
Forum: Obfuscation

// 157, follows LeverOne's four rules
name='alert(1)';
(ð=[ƒ=+!'',[µ,æ,Ú,É,,Á,þ,$,,,ø,,,,Ç]=!!ƒ+[!ƒ]+{},Ñ=(ƒ/!ƒ+µ)[ƒ],ª=(ƒ[Ç+ø+Ñ+$+µ+æ+Ú+Ç+µ+ø+æ]+µ)[ƒ+[ƒ]]][$+ø+æ+µ])()[É+(ð+µ)[++ƒ+[++ƒ+ƒ+ƒ/ƒ]]+Á+þ](ð()[Ñ+Á+ª+É])
I tried employing some of the tricks that LeverOne and .mario have been using to shorten up the beginning, but without using b
Forum: Obfuscation

Oops, just noticed I had left some numbers in the code I originally posted - my bad. I've gotten down to 160 using a slightly different approach so far.
I'm totally game for more difficult/interesting challenges, you guys have just been way ahead of me on this stuff. :)
Forum: Obfuscation

LeverOne Wrote:
-------------------------------------------------------
> Yes, as well as characters 0-31. I do not quite
> understand what the problem? These symbols
> (127—159) can be filtered? Anything can be
> filtered.
I wasn't thinking so much of filtering as inserting - i.e., how are you going to make a request that includes those characters and get Firefox to reliab
Forum: Obfuscation

You guys may have already tackled this, but I didn't recall seeing it yet...
There was a topic on here for the shortest non-alphanumeric JS to execute alert(1), changed to alert('owasp') for the AppSec challenge. Then much time has been invested trying to find the smallest set of nonalnum characters needed to execute arbitrary JS.
So I figured, why not for the fun of it combine the two - fin
Forum: Obfuscation